We did notice the other day that two icons installed themselves on each user's desktop - Help & support and Windows Update. I looked at the properties of these two icons and found that they refer to a website - "http://www.storageprotector.com/clean" with some other text that I can neither copy nor edit.
I discovered this forum yesterday and got combofix.exe and hijackthis.exe based on other threads that I read.
I hope you can help us.
Thanks,
Eileen Riedel
Here are my logs:
ComboFix 08-02.05.3 - Eileen Riedel 2008-02-04 20:01:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.542 [GMT -8:00]
Running from: C:\Documents and Settings\Eileen Riedel\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\knnienno.dll
C:\Documents and Settings\Ashley Riedel\Application Data\SpyGuardPro
C:\Documents and Settings\Ashley Riedel\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\Ashley Riedel\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\Ashley Riedel\ResErrors.log
C:\Documents and Settings\Matthew Riedel\Application Data\install.dat
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\ppatch~1\??pPatch\
C:\Program Files\crosof~1.net
C:\Program Files\Hotbar
C:\Program Files\McAfee\SpamKiller\MskDetct.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\SpyGuardPro
C:\WINDOWS\system32\bbuigrkv.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dfhdbtcj.dll
C:\WINDOWS\system32\fvqvqtqh.dll
C:\WINDOWS\system32\geeby.dll
C:\WINDOWS\system32\geeby.exe
C:\WINDOWS\system32\gnvbnyru.dll
C:\WINDOWS\system32\hqtqvqvf.ini
C:\WINDOWS\system32\jmjrqtbo.ini
C:\WINDOWS\system32\knnienno.dll
C:\WINDOWS\system32\knnienno.dllbox
C:\WINDOWS\system32\kpcjnvxk.ini
C:\WINDOWS\system32\kxvnjcpk.dll
C:\WINDOWS\system32\lrygahgu.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pxxabuxa.dll
C:\WINDOWS\system32\rglorupm.dll
C:\WINDOWS\system32\sjvwrxys.dll
C:\WINDOWS\system32\sjvwrxys.dllbox
C:\WINDOWS\system32\ybeeg.ini
C:\WINDOWS\system32\ybeeg.ini2
.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.
2008-02-04 19:51 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-04 00:00 . 2008-02-04 00:00 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-02-03 20:59 . 2008-02-03 20:59 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-02-03 20:53 . 2004-08-10 04:13 73,728 --a--c--- C:\WINDOWS\system32\dllcache\ehresja.dll
2008-02-03 20:53 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresko.dll
2008-02-03 20:53 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresfr.dll
2008-02-03 20:53 . 2004-08-10 04:13 69,632 --a--c--- C:\WINDOWS\system32\dllcache\ehresde.dll
2008-02-03 20:53 . 2004-08-10 04:13 61,440 --a--c--- C:\WINDOWS\system32\dllcache\ehreschs.dll
2008-02-03 20:51 . 2004-08-10 03:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-02-03 20:50 . 2004-08-10 03:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-02-03 20:48 . 2008-02-03 20:48 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-02-03 20:48 . 2008-02-03 20:48 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-02-03 20:48 . 2008-02-03 20:48 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-02-03 20:48 . 2008-02-03 20:48 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-02-03 20:48 . 2008-02-03 20:48 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-02-03 20:48 . 2008-02-03 20:48 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-02-03 20:38 . 2004-08-10 03:00 259,072 --a--c--- C:\WINDOWS\system32\dllcache\snmpcl.dll
2008-02-03 20:38 . 2004-08-10 03:00 40,448 --a--c--- C:\WINDOWS\system32\dllcache\snmpthrd.dll
2008-02-03 20:35 . 2008-02-03 20:35 <DIR> d-------- C:\Program Files\Sigmatel
2008-02-03 20:35 . 2005-03-22 21:20 339,968 --a------ C:\WINDOWS\stsystra.exe
2008-02-03 20:35 . 2005-03-22 02:22 143,441 --a------ C:\WINDOWS\system32\stac97.cpl
2008-02-03 20:35 . 2005-03-22 02:20 90,112 --a------ C:\WINDOWS\system32\stacapi.dll
2008-02-03 12:16 . 2008-02-03 12:16 <DIR> d-------- C:\WINDOWS\dell
2008-01-30 22:09 . 2008-01-30 22:09 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\SiteAdvisor
2008-01-30 20:46 . 2008-01-30 20:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Winferno
2008-01-30 20:45 . 2008-01-30 20:45 <DIR> d-------- C:\Program Files\Winferno
2008-01-30 20:45 . 2006-10-09 12:28 835,584 --a------ C:\WINDOWS\system32\WINCTL4.OCX
2008-01-30 20:45 . 2006-10-09 13:06 495,616 --a------ C:\WINDOWS\system32\WINUTIL5.DLL
2008-01-30 20:45 . 2006-05-17 08:40 393,216 --a------ C:\WINDOWS\system32\WINLCTL5.DLL
2008-01-30 19:35 . 2008-01-30 19:48 <DIR> d-------- C:\Program Files\RegistryFix
2008-01-28 21:50 . 2008-01-28 22:05 <DIR> d-------- C:\Program Files\dbar
2008-01-28 08:05 . 2008-01-28 08:05 294 --ahs---- C:\WINDOWS\system32\ciwjmbwf.tmp
2008-01-28 08:05 . 2008-01-28 08:05 294 --ahs---- C:\WINDOWS\system32\ciwjmbwf.ini
2008-01-26 17:58 . 2008-01-26 17:59 <DIR> d-------- C:\Program Files\Print Workshop 2004
2008-01-26 17:57 . 2008-01-26 17:57 61 --a------ C:\WINDOWS\PrintWorkShop2004.ini
2008-01-19 17:59 . 2008-01-19 17:59 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-19 15:51 . 2008-01-19 15:51 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-01-19 15:51 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-19 15:43 . 2008-01-21 16:50 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-18 22:54 . 2008-01-18 22:54 <DIR> d-------- C:\Documents and Settings\Eileen Riedel\Application Data\iWinArcade
2008-01-12 14:48 . 2008-01-12 14:48 <DIR> d-------- C:\Documents and Settings\Evan Riedel\Application Data\Mattel
2008-01-06 14:27 . 2008-01-06 14:27 <DIR> d-------- C:\Documents and Settings\Evan Riedel\Saved Games
2008-01-06 14:25 . 2008-01-06 14:25 <DIR> d-------- C:\Documents and Settings\Evan Riedel\Application Data\iWin
2008-01-05 14:13 . 2008-01-19 23:02 <DIR> d-------- C:\Documents and Settings\Eileen Riedel\.housecall6.6
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 03:59 --------- d-----w C:\Program Files\Dl_cats
2008-02-05 03:58 --------- d-----w C:\Documents and Settings\Eileen Riedel\Application Data\SiteAdvisor
2008-02-04 07:53 --------- d-----w C:\Program Files\SiteAdvisor
2008-02-04 07:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-02-04 05:01 --------- d-----w C:\Program Files\Dell Photo AIO Printer 942
2008-01-31 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-31 03:47 --------- d-----w C:\Program Files\Coupons
2008-01-30 04:08 --------- d-----w C:\Documents and Settings\Evan Riedel\Application Data\SiteAdvisor
2008-01-29 07:39 --------- d-----w C:\Documents and Settings\Matthew Riedel\Application Data\SiteAdvisor
2008-01-28 17:51 --------- d-----w C:\Documents and Settings\Ashley Riedel\Application Data\SiteAdvisor
2008-01-27 01:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-26 02:09 --------- d-----w C:\Documents and Settings\Guest\Application Data\SiteAdvisor
2008-01-26 01:27 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-21 23:31 --------- d-----w C:\Program Files\McAfee
2008-01-21 23:27 --------- d-----w C:\Program Files\Common Files\Intuit
2008-01-21 23:23 --------- d-----w C:\Program Files\Hasbro Interactive
2008-01-21 23:22 --------- d-----w C:\Program Files\Electronic Arts
2008-01-21 23:20 --------- d-----w C:\Program Files\GameHouse
2008-01-21 23:19 --------- d-----w C:\Program Files\Google
2008-01-21 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2008-01-20 21:15 --------- d-----w C:\Program Files\QuickTime
2008-01-20 07:32 --------- d-----w C:\Program Files\DellSupport
2008-01-19 06:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\iWin Games
2008-01-02 19:11 --------- d-----w C:\Documents and Settings\Eileen Riedel\Application Data\iWin
2008-01-02 19:09 --------- d-----w C:\Documents and Settings\Eileen Riedel\Application Data\Media Center Programs
2007-12-31 02:47 --------- d-----w C:\Documents and Settings\Ashley Riedel\Application Data\Mattel
2007-12-31 01:46 --------- d-----w C:\Documents and Settings\Eileen Riedel\Application Data\Mattel
2007-12-31 01:45 --------- d-----w C:\Program Files\Mattel
2007-12-31 01:39 --------- d-----w C:\Documents and Settings\Ashley Riedel\Application Data\InstallShield
2007-12-29 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2007-12-29 21:24 --------- d-----w C:\Program Files\Dell Support Center
2007-12-29 21:24 --------- d-----w C:\Program Files\Common Files\supportsoft
2007-12-29 21:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-12-15 06:21 --------- d-----w C:\Program Files\SSI
2007-12-15 04:39 --------- d-----w C:\Program Files\EA SPORTS
2007-12-06 07:00 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
2007-12-06 06:58 --------- d-----w C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-12-06 06:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-06 06:56 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-06 06:55 --------- d-----w C:\Program Files\McAfee.com
2007-12-06 06:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-06 06:36 --------- d-----w C:\Program Files\PcTools
2007-12-06 06:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-12-06 06:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\GTek
2007-12-06 06:14 --------- d-----w C:\Program Files\Dell
2007-12-06 05:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Tools
.
- Code: Select all
<pre> ----a-w 63,712 2008-01-20 01:59:09 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe ----a-w 39,792 2008-01-20 01:59:10 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ----a-w 221,184 2008-01-20 02:01:13 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe ----a-w 151,597 2008-01-20 01:59:16 C:\Program Files\Common Files\Real\Update_OB\realsched .exe ----a-w 16,384 2008-01-20 01:59:22 C:\Program Files\Dell Support Center\gs_agent\custom\dsca .exe ----a-w 68,856 2008-01-20 01:59:42 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ----a-w 24,576 2008-01-20 01:59:24 C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray .exe ----a-w 1,111,552 2008-02-05 03:25:33 C:\Program Files\McAfee\SpamKiller\MskDetct .exe ----a-w 582,992 2008-01-21 02:01:25 C:\Program Files\McAfee.com\Agent\mcagent .exe ----a-w 1,694,208 2008-01-20 01:59:43 C:\Program Files\Messenger\msmsgs .exe ----a-w 53,248 2008-01-20 01:59:06 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask .exe ----a-w 135,168 2008-01-20 01:59:08 C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray .exe ----a-w 192,512 2008-01-20 01:59:08 C:\Program Files\Qwest\QuickCare\bin\sprtcmd .exe ----a-w 36,640 2008-01-20 01:59:21 C:\Program Files\SiteAdvisor\6253\SiteAdv .exe ----a-w 15,360 2008-01-20 01:59:37 C:\WINDOWS\system32\ctfmon .exe </pre>
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [ ]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"MSKDetectorExe"="C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe" [ ]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [ ]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [ ]
"BarbieGirlsTray"="C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe" [ ]
"ISUSScheduler"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" [ ]
"dbar_starter"="C:\Documents and Settings\Gregory Riedel\Application Data\Deskbar_{BBFCAE98-C35B-476b-8E4E-F55877D05649}\starter.exe" [ ]
"Dell Photo AIO Printer 942"="C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe" [ ]
"DellMCM"="C:\Program Files\Dell Photo AIO Printer 942\memcard.exe" [ ]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 21:20 339968 C:\WINDOWS\stsystra.exe]
"DLBUCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll" [2004-11-09 18:47 69632]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe" [ ]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-10 03:00 53760 C:\WINDOWS\system32\narrator.exe]
"tscuninstall"="C:\WINDOWS\system32\tscupgrd.exe" [2004-08-10 02:00 44544]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkhgde]
jkkhgde.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=C:\WINDOWS\pss\QuickBooks Update Agent.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2005-08-05 18:05 344064 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bm]
C:\Program Files\Common Files\SpyGuardPro\bm.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-10 03:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a--c--- 2003-09-17 07:43 57344 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 942]
C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellMCM]
C:\Program Files\Dell Photo AIO Printer 942\memcard.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a--c--- 2004-12-05 22:05 127035 C:\WINDOWS\system32\dla\tfswctrl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a--c--- 2005-02-23 13:19 53248 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
C:\Program Files\Electronic Arts\EADM\Core.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2004-08-10 01:04 59392 C:\WINDOWS\ehome\ehtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ELNKProxy]
C:\WINDOWS\surfmonkey\smproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
--a------ 2004-07-29 13:55 139264 C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2007-08-18 03:12 394576 C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a--c--- 2004-06-10 13:51 60928 C:\WINDOWS\system32\P17.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
--a--c--- 2004-11-11 07:26 26112 C:\Program Files\Intuit\QuickBooks 2005\Atom\QBReminder.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-28 22:39 98304 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-08-08 12:37 204845 C:\Program Files\Real\RealPlayer\RealPlay.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2003-11-19 14:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ugac]
C:\PROGRA~1\COMMON~1\SPYGUA~1\ugac.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--a--c--- 2000-05-10 22:00 90112 C:\WINDOWS\UpdReg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-10 03:00]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-07-07 00:16:17 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-01-01 09:00:00 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-04 04:56:53 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 20:12:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\MCAGEN~1.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-02-04 20:16:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 04:16:04
.
2008-02-04 08:50:13 --- E O F ---
HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:15 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\Agent\MCAGEN~1.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/m ... earch.html
R3 - URLSearchHook: (no name) - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [BarbieGirlsTray] C:\Program Files\Mattel\Barbie Girls\Mattel.BarbieGirls.Tray.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Gregory Riedel\Application Data\Deskbar_{BBFCAE98-C35B-476b-8E4E-F55877D05649}\starter.exe
O4 - HKLM\..\Run: [Dell Photo AIO Printer 942] "C:\Program Files\Dell Photo AIO Printer 942\dlbubmgr.exe"
O4 - HKLM\..\Run: [DellMCM] "C:\Program Files\Dell Photo AIO Printer 942\memcard.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DLBUCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBUtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v ... b31267.cab
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zp ... b55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://player.virtools.com/downloads/pl ... taller.exe
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/St ... b55579.cab
O20 - Winlogon Notify: jkkhgde - jkkhgde.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlbu_device - Dell - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O24 - Desktop Component 1: (no name) - https://exmail.oregonstate.edu/exchange ... f?attach=1
--
End of file - 10251 bytes